usd-2021-0009 | VMware Workspace ONE Intelligent Hub
Advisory ID: usd-2021-0009
Affected Product: VMware Workspace ONE Intelligent Hub
Affected Version: 21.01.0.24 (Android) and 21.01.0 (Build d3dd95e, iOS)
Vulnerability Type: CWE-912: Hidden Functionality (Backdoor)
Security Risk: MEDIUM (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)
Vendor URL: https://www.VMware.com/de/products/workspace-one/intelligent-hub.html
Vendor Status: Not fixed / Disputed
The following behavior was reported to VMware in March 2021. After finishing their investigations, VMware informed us that they do not agree that their dynamic compromise detection would violate app store policies regarding run-time code retrieval and execution. Please find their detailed statement here: https://code.vmware.com/docs/13894/StatementDeviceCompromiseDetection.pdf.
Description
The VMware Workspace ONE Intelligent Hub Apps for Android and iOS implement and use a mechanism to dynamically load remote code and execute it on mobile phones without indication to end users.
According to Google’s Developer Program Policy, a backdoor is „code that allows the execution of unwanted, potentially harmful, remote-controlled operations on a device“.
Apple’s Software Requirements for apps enforce that „apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps“.
The VMware Hub applications implement a Dynamic Compromise Detection mechanism for which JavaScript code is downloaded from external endpoints and then executed in the application context. Further, native interfaces are exposed to the JavaScript code offering the ability to directly run OS commands.
Proof of Concept (PoC)
The Workspace ONE Intelligent Hub Apps download remote contents from the following endpoints:
- https://api.na1.region.data.vmwservices.com/api/v1/sdk/compliance/rules/an5r0i5payl0adg3n3rat0R (Android Hub App)
- https://api.na1.region.data.vmwservices.com/api/v1/sdk/compliance/rules/payl0adg3n3rat0R (Android Hub App)
- https://api.na1.region.data.vmwservices.com/api/v1/sdk/compliance/rules/ws10per8t10nAlD8ta (iOS Hub App)
The following request and response illustrate the communication with these endpoints:
GET /api/v1/sdk/compliance/rules/an5r0i5payl0adg3n3rat0R HTTP/1.1
Host: api.na1.region.data.vmwservices.com
[...]
Response:
HTTP/1.1 200
Date: Tue, 02 Mar 2021 12:33:29 GMT
Content-Type: application/json
Connection: close
vary: accept-encoding
Content-Length: 13719
{
"data" : {
"id" : "an5r0i5payl0adg3n3rat0R",
"rules" : {
"payload" : "MIInbAYJKoZIhvcNAQcCoIInXTCCJ1kCAQE[...]",
"payloadVersion" : "1"
},
"created_at" : 1588726763166,
"created_by" : "thor",
"modified_at" : 1588786684777,
"modified_by" : "thor"
}
}
The payload consists of a PKCS#7 encoded and signed blob. During our assessment it was not possible to bypass the signature validation and inject malicious code.This payload can be decoded using OpenSSL, an exemplary excerpt of the downloaded JavaScript code is presented in
the following:
$ cat payload.b64 | base64 -d > payload.txt
$ openssl asn1parse -inform der -in payload.txt -dump
Excerpt of decoded payload:
[...]
function u() {
var t = [], s = native_Exec("id");
if (null != s && s.length > 0)
for (i = 0; i < s.length; i++)
-1 != s[i].indexOf("(root)") && (t.push("90413-1"),
k("E", "Root detected code 90413-1"));
return null != (s = native_Exec("su -c ls")) && s.length > 0 && (t.push("90411-1"),
k("E", "Root detected code 90411-1")),
null != (s = native_Exec("su")) && s.length > 0 && (t.push("90412-1"),
[...]
}
[...]
As the above snippet shows, the application provides native interfaces to the JavaScript code. For instance, the native_Exec() function appears to be a wrapper for the C function system() which allows the execution of arbitrary operating system commands.
The aforementioned mechanism enables VMware to run arbitrary commands which are retrieved from external resources on the user’s device, resulting in backdoor capabilities.
Fix
It is recommended to follow Apple's and Google's guidelines regarding secure app development and distribution. Further, it is recommended to include the entire code within the application bundle.
References
- https://cwe.mitre.org/data/definitions/912.html
- https://developer.apple.com/app-store/review/guidelines/#software-requirements
- https://support.google.com/googleplay/android-developer/answer/11365487
Timeline
- 2021-03-12: This vulnerability was identified by Leif Enders and Lauritz Holtmann.
- 2021-03-14: Advisory submitted to vendor via e-mail.
- 2021-05-07: Vendor states that they won’t fix this issue: https://code.vmware.com/docs/13894/StatementDeviceCompromiseDetection.pdf
- 2021-12-30: Security advisory released by usd AG.
Credits
This security vulnerability was found by Leif Enders and Lauritz Holtmann of usd AG.